Malicious NuGet package activity targeting ASP.NET Identity
Malware Activity
Summary
Hide ▲
Show ▼
Four malicious NuGet packages were uncovered that exfiltrate ASP.NET Identity data and create persistent backdoors, putting deployed ASP.NET applications at risk. The packages were published between August 12 and 21, 2024 and later removed after responsible disclosure. One package, NCryptYo, staged a localhost:7152 proxy to relay traffic to attacker-controlled infrastructure. The companion packages, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, added theft, file-writing, and hidden execution capabilities.
Related Happenings
Inactive maintainer account 'atiertant' hit by network compromise
Incident
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
Campaign
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Famous Chollima PromptMink supply-chain campaign targeting Web3 developers
CampaignAbout this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....
Npm package ecosystem CanisterWorm exploitation wave
Exploitation Wave
First: 23.03.2026 10:31
Last: 23.03.2026 10:31
Sources 1
About this happening:
Attackers expanded the **Trivy** compromise into a **self-propagating CanisterWorm** wave that hit **dozens of npm packages**, creating broad downstream supply-chain risk. The abu...
Npm package ecosystem CanisterWorm exploitation wave
Exploitation WaveAbout this happening: Attackers expanded the **Trivy** compromise into a **self-propagating CanisterWorm** wave that hit **dozens of npm packages**, creating broad downstream supply-chain risk. The abu...
Timeline
-
25.02.2026 14:43 2 articles · 3mo ago
Malicious NuGet packages target ASP.NET Identity
Initial DisclosureFour NuGet packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—were published between August 12 and 21, 2024 by hamzazaheer and later removed after responsible disclosure. The packages targeted ASP.NET web application developers by exfiltrating ASP.NET Identity data, including user accounts, role assignments, and permission mappings, while manipulating authorization rules to create persistent backdoors in victim applications; NCryptYo masqueraded as NCrypto and staged a localhost:7152 proxy to relay traffic to attacker-controlled C2, DOMOAuth2_ and IRAOAuth2.0 forwarded Identity data through that proxy, and SimpleWriter_ added unconditional file writing and hidden process execution.
Show sources
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43
- Malicious NuGet Packages Stole ASP.NET Data; npm Package Dropped Malware — thehackernews.com — 25.02.2026 14:43